First Medical Management, a health care services provider in California, found a simple way to protect patient records and hospital data, reports Greg Masters.
One of the highest goals for IT professionals inside a health care environment is the protection of patient records and hospital data. For Donald Newton (left), the network security engineer at First Medical Management (FMM), this meant going after the right tool for the job. Given the size of FMM and the high level of traffic going in and out of its network, it had become obvious to Newton and his team that a solution was needed to meet the network's security needs. Also, he realized it was imperitive to meet a number of rules and regulations, such as HIPAA requirements. The search began for a solution that would be flexible to meet FMM's dynamic large and growing environment, as well as be easy to manage and simple for end-users to interact with.
"Inside a hospital from an IT perspective, you want everything to be fast, painless and seamless," he says.
First Medical Management (formerly known as HealthSmart) currently has 15 sites employing more than 700 employees. In Long Beach, California it runs eight sites, as well as Pacific Hospital, a full-service, for-profit, teaching hospital with 184 licensed acute care beds. In addition, it has various clinics and branch offices located throughout southern California, including in Newport Beach, Oxnard, Sherman Oaks and Rancho Cucamonga. Its 20-person IT staff contains three divisions: support desk, application development and IT engineers.
Newton assembled a task force that included another network engineer, Mathew Thacker, and FMM's IT director Matt Winn, to shop for a security solution. At that time they looked at Cisco and Juniper firewalls, Fortinet UTM, and a couple of SonicWall devices.
"Of course, cost is always an issue when purchasing devices of this stature, but so is ability, management, features and support options," says Newton. "We decided by a landslide to choose Fortinet's FortiGate line. At the time, Fortinet was the only true UTM device out there where we could keep everything we needed to accomplish all under one roof. The licensing was nice because we could purchase our subscription and gain access to multiple features without having to pay for individual licenses like some other products. Also, if there was any support issues, Fortinet handled it all from the anti-virus to the firewall to the VPN, so there was no bouncing back between multiple vendors even though it was one physical device. Nothing was outsourced and Fortinet did it all."
Fortinet's FortiGate flagship consolidated security appliance integrates multiple security functions into a single device – including firewall, anti-virus, intrusion prevention, VPN, web filtering, spyware prevention, and anti-spam – for broad protection against both content and network-level threats, says Anthony James, vice president of products for Fortinet. These features include the ability to create role-based policies for employees, easy management of distributed networks of more than 1,000 users, endpoint and core security managed from the same platform and, with the release of Fortinet's new operating system FortiOS 4.0, the ability to have data loss protection (DLP) at no additional cost.
Deployment was a breeze
Newton says that overall his team was surprised by the ease of the deployment. "There were plenty of guides and documentation for deployment as well as administration of devices. Once we had our FortiGate devices installed, there was never a need for downtime, and if we had questions or goals we wanted to accomplish, Fortinet technical support was there to quickly guide us along the way."
From a management perspective everything is simplified by the use of FortiManager, he says. "It enables control of all our devices from one central point. It comes with all the tools you would need. It allows you to update firmware, apply changes on a single or global level throughout the network, and the ability to design future changes and apply them at a later time."
Fortinet's solution is based on a tightly integrated homegrown approach to technology, which differs from other UTM vendors who have acquired technology and cobbled them together, says Fortinet's James. "Fortinet also incorporates security-specific ASIC processors for high performance. Tight integration combined with real-time threat updates enable the strongest and broadest possible threat protection for our customers around the clock."
Being a full UTM device, FortiGate allows full control of just about everything and anything coming in or outside the FMM network, says Newton. "There is the Application Control feature that allows us to block types of applications even if they are web-based."
A good example of this, he points out, is social networking sites. It has become challenging to keep employees off these sites during work hours. Some devices allow administrators to blacklist sites or even IP addresses, but some of these things can be dynamic, Newton says. "The FortiGate devices allows us to block social network sites at the packet level, blocking users from accessing these sites. This also works great with instant messaging programs giving full control over all communication.
Another great function of the device, he says, is data leakage prevention. "Going back to the protection of patient records and confidentiality, this feature allows us to ensure no one can send or upload files outside of the network – for example, if a user using a third-party personal email attempts to send a file to someone or even upload a file to an FTP site that is not allowed, the FortiGate would block this and notify us in the event this occurs."
FMM currently runs a partial mesh environment, which steers its bigger sites over a WAN connection through its main hub. This allows the IT team to manage half the sites using two FortiGate 1000As in a HA setup. Also, for its smaller sites, Newton's team uses FortiGate 60s, which offer similar features.
At the company's data center, they use FortiAnalyzer to run detailed reports on activity, bandwidth consumption and variability assessments; FortiMail, to manage spam; and FortiManager, where everything comes together. This setup allows the IT team to manage all the products from one central location.
Newton says that as the business and sites continue to grow, they plan to move to a full mesh environment where each site would have its own FortiGate UTM device. With that scenario, in the event of a failure, each site would be independent. "Using the Forti-Manager, we were able to justify easy management of this process with the ability to push out updates, firmware or changes to every device at once, making future growth easy to manage where normally expanding means more work."
Everyday, threats seem to increase now that computers and networks are inside every single type of business, Newton says. "This has made security even more important. The fact that you could pay your bills online, buy groceries and even order your child's birthday gift and have it shipped to him at school, that's all great and dandy, but at the end of the day you want to know that you are performing all these great new innovations on a secure platform and have peace of mind knowing your information is secure and protected."
The main threat FMM faces, says Newton, is the fast pace of technology. "We try hard to keep up and always provide leading technology and solutions to our patients and employees. That is also one of the key reasons we are happy we chose Fortinet. As technology changes, they provide these updates and new features to us at no extra cost. If there is a new threat, we get sent updates dynamically over the FortiGuard network. If there is a new demand arising in technology, Fortinet proactively jumps on those types of things and includes them in any upcoming firmware updates, giving us the ability to grow and add more functionality to our devices free of charge."
Two other huge things Newton says his team takes advantage of using the Fortinet devices: "We have the ability using FSAE to control user internet permissions and profiles all through Microsoft Active Directory groups, For example, we have three or four nurses who may use the same computer throughout the day, Well, when nurse one is logged into the computer, she can access any site she wants to across the internet. When she goes home at night and nurse two logs into the same PC, she has limited internet access and can only go to certain sites and or services. This allows us to have a better control scenario because if a user is working at one site then goes to another site, those same internet permissions carry over to anywhere she is working from. That way we don't have to worry about setting up her permissions in multiple locations. It just carries over based off her AD login.
Another feature Newton points to is the system's SSL VPN. "I can't state how much we use and rely on this technology. We have remote users who can work from home or offsite using this technology. Through policies we can restrict or allow this remote user to only mandatory resources while they are on the VPN. Another way we use this VPN is with our VoIP solution. We are able to leverage VoIP over the SSL VPN so users can actually take their desk extension home with them and be reached. This way, when you dial their desk phone they get the call whereever they are in the world at that time without having to change, forward or move anything. Other vendors charge per license for these features. They are included with our subscription."
This feature presents huge value, he adds, and allows his team to operate satellite offices and to minimize costs because all that's needed is an internet connection and the user can access phones and network resources.
Greg Masters is managing editor of SC Magazine. He can be reached at [email protected].